2008 Woodie Awards
CampusWeb Displays ID Pictures, Not ID Numbers, Thanks to Recent Changes
Jim Segedy
Issue date: 2/9/05 Section: News
Members of the Goucher community may rest easy, as a security flaw in the CampusWeb system has been recently fixed.
What was dubbed as "maintenance" in an email from the Help Desk was actually an operation that changed the names of the CampusWeb pictures, which were previously named after the person's ID number.
"I did discover [this situation] independently about the same time [several students] alerted me to it," explains Thomas Kelliher, Associate Professor of Mathematics and Computer Science.
This realization took place in October, when students in a computer science course were downloading photos from CampusWeb to use in a project. It was also around that time that some students realized the harmful potential of having their student ID number available to all members of the Goucher community.
Kelliher provided one of the more threatening scenarios when he asked students if delivery people from off-campus venders ever checked the OneCard of the student who received delivered food.
This possibility started a series of jokes and rumors. Certain students began claiming that they had charged pizza delivery to President Sanford J. Ungar's OneCard account by using his ID number, obtained from his CampusWeb photo.
Kelliher also noted that some students were being accused of forming personal databases linking students to their ID numbers.
The possibility of identity theft was greater than it seemed. Not only was there the real possibility of a student ordering food with another's Gopher Bucks, but a student's CampusWeb account may also have been vulnerable.
This is not outwardly apparent, since the Student Information Technology Handbook claims that "The first time you login [to CampusWeb], you will need to enter your GCADMIN username and your social security number without dashes as the password."
However, Carys Lustig, '08, asserts that the default password for her CampusWeb account was her student ID number. She recalls a time last semester when she had forgotten her CampusWeb password. "When I called up the help desk, they reset my password, and they reset it to my ID number," she said.
What was dubbed as "maintenance" in an email from the Help Desk was actually an operation that changed the names of the CampusWeb pictures, which were previously named after the person's ID number.
"I did discover [this situation] independently about the same time [several students] alerted me to it," explains Thomas Kelliher, Associate Professor of Mathematics and Computer Science.
This realization took place in October, when students in a computer science course were downloading photos from CampusWeb to use in a project. It was also around that time that some students realized the harmful potential of having their student ID number available to all members of the Goucher community.
Kelliher provided one of the more threatening scenarios when he asked students if delivery people from off-campus venders ever checked the OneCard of the student who received delivered food.
This possibility started a series of jokes and rumors. Certain students began claiming that they had charged pizza delivery to President Sanford J. Ungar's OneCard account by using his ID number, obtained from his CampusWeb photo.
Kelliher also noted that some students were being accused of forming personal databases linking students to their ID numbers.
The possibility of identity theft was greater than it seemed. Not only was there the real possibility of a student ordering food with another's Gopher Bucks, but a student's CampusWeb account may also have been vulnerable.
This is not outwardly apparent, since the Student Information Technology Handbook claims that "The first time you login [to CampusWeb], you will need to enter your GCADMIN username and your social security number without dashes as the password."
However, Carys Lustig, '08, asserts that the default password for her CampusWeb account was her student ID number. She recalls a time last semester when she had forgotten her CampusWeb password. "When I called up the help desk, they reset my password, and they reset it to my ID number," she said.
Be the first to comment on this story